A critical vulnerability has been identified in LeRobot, an open-source robotics platform developed by Hugging Face, which boasts nearly 24,000 stars on GitHub. This flaw, designated as CVE-2026-25874 with a CVSS score of 9.3, poses a risk of remote code execution due to unsafe deserialization of data.
Details of the Vulnerability
The vulnerability arises from the use of the unsafe pickle format within the async inference pipeline of LeRobot. Specifically, the function pickle.loads() is utilized to deserialize data received over unauthenticated gRPC channels that lack TLS in both the policy server and robot client components. This allows an unauthenticated attacker to send a crafted pickle payload through various gRPC calls, including SendPolicyInstructions, SendObservations, and GetActions, potentially leading to arbitrary code execution.
Impact and Exploitation
According to cybersecurity firm Resecurity, the vulnerability is particularly concerning as it allows an attacker to execute arbitrary commands on the host machine running the service. The implications of such an exploit include:
- Unauthenticated remote code execution
- Complete compromise of the PolicyServer host
- Impact on connected robots
- Theft of sensitive data, including API keys and SSH credentials
- Lateral movement across the network
- Service disruptions and potential physical safety risks
Status of the Vulnerability
The vulnerability has been confirmed against LeRobot version 0.4.3 and remains unpatched at this time. A fix is anticipated in version 0.6.0. The flaw was initially reported by a researcher known as chenpinji in December 2025, and further details were published by security researcher Valentin Lobstein last week.
Community Response and Future Considerations
In response to the discovery, the LeRobot team acknowledged the security risk and indicated that a significant refactoring of the affected codebase is necessary. Tech lead Steven Palma noted that while LeRobot has primarily served as a research and prototyping tool, the increasing adoption of the platform in production environments necessitates a stronger focus on security. The open-source nature of the project allows the community to contribute to identifying and addressing such vulnerabilities.
This incident highlights the inherent risks associated with the pickle format, which has been criticized for its potential to facilitate arbitrary code execution through deserialization of untrusted data. Lobstein remarked on the irony of Hugging Face developing Safetensors, a serialization format intended to mitigate such risks, while their own robotics framework still employs the unsafe pickle method.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
